Solaris 10 sshd + GSSAPI = where's my cred cache?

Jeff Blaine jblaine at kickflop.net
Mon Nov 5 14:03:26 EST 2007 

Sorry, I meant to say "GSSAPIDelegateCredentials yes"
on the client side.

Douglas E. Engert wrote:
> 
> 
> Jeff Blaine wrote:
>> Solved.
>>
>> Had to force client-side "-o GSSAPIStoreDelegatedCredentials yes"
>> even though it was not defined anywhere as "no" (although probably
>> a default for some reason).
> 
> Are you sure that was it? GSSAPIStoreDelegatedCredentials is a server side
> option and defaults to yes. The client side option is 
> GSSAPIDelegateCredentials
> and defaults to no for security reasons. (You should only delegate to 
> trusted
> machines.)
> 
> man ssh_config and man sshd_config shows the options.
> 
>>
>> Jeff Blaine wrote:
>>> Nicolas et al,
>>>
>>> ==== SSHD server ====================================================
>>>
>>> ~:alberta> uname -a
>>> SunOS alberta.foo.com 5.10 Generic_127111-01 sun4u sparc SUNW,Ultra-5_10
>>> ~:alberta>
>>>
>>> ~:alberta> sudo /usr/lib/ssh/sshd -p 3333 -o
>>> "GSSAPIStoreDelegatedCredentials yes" -o "GSSAPIKeyExchange yes" -o
>>> "GSSAPIAuthentication yes" -ddd
>>>
>>> ==== SSH client =====================================================
>>>
>>> ~:rcf-kerbtest-linux> grep GSSAPI /etc/ssh/ssh_config
>>>         GSSAPIAuthentication yes
>>> ~:rcf-kerbtest-linux> ls .ssh/config
>>> ls: .ssh/config: No such file or directory
>>> ~:rcf-kerbtest-linux> /usr/kerberos/bin/klist -f
>>> Ticket cache: FILE:/tmp/krb5cc_26560_XM0qlu
>>> Default principal: jblaine at RCF.FOO.COM
>>>
>>> Valid starting     Expires            Service principal
>>> 11/01/07 14:30:02  11/08/07 13:30:02  krbtgt/RCF.FOO.COM at RCF.FOO.COM
>>>         Flags: FI
>>> 11/01/07 14:30:02  11/08/07 13:30:02  afs at RCF.FOO.COM
>>>         Flags: FT
>>> 11/01/07 14:30:27  11/08/07 13:30:02  host/alberta.foo.com at RCF.FOO.COM
>>>         Flags: FT
>>>
>>>
>>> Kerberos 4 ticket cache: /tmp/tkt26560
>>> klist: You have no tickets cached
>>> ~:rcf-kerbtest-linux> /usr/bin/ssh -p 3333 alberta
>>> Last login: Mon Nov  5 11:15:47 2007 from rcf-kerbtest-li
>>> ...
>>> ~:alberta> /usr/bin/klist
>>> klist: No credentials cache file found (ticket cache 
>>> FILE:/tmp/krb5cc_26560)
>>> ~:alberta>
>>>
>>> ==== SSHD server reports =======================================
>>> ...
>>> debug1: userauth-request for user jblaine service ssh-connection 
>>> method gssapi-with-mic
>>> debug1: attempt 1 initial attempt 0 failures 1 initial failures 0
>>> debug2: input_userauth_request: try method gssapi-with-mic
>>> debug1: Client offered gssapi userauth with { 1 2 840 113554 1 2 2 } 
>>> (supported)
>>> debug2: Mapping initiator GSS-API principal to local username
>>> debug2: Mapped the initiator to: jblaine
>>> debug2: Starting PAM service sshd-gssapi for method gssapi-with-mic
>>> debug3: Trying to reverse map address xxx.xx.11.213.
>>> debug3: Not storing delegated GSS credentials (none delegated)
>>> Accepted gssapi-with-mic for jblaine from xxx.xx.11.213 port 41605 ssh2
>>> ...
>>>
>>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>

More information about the Kerberos mailing list